[ipv6hackers] New IETF I-D: "Neighbor Discovery Shield (ND-Shield): Protecting against Neighbor Discovery Attacks"

[Fernando Gont]

Folks,

We have just published a new IETF I-D, entitled "Neighbor Discovery
Shield (ND-Shield): Protecting against Neighbor Discovery Attacks". This
is probably the last missing piece of the "ND mitigation" puzzle (the
others being RA-Guard and DHCPv6-Shield). This one mitigates attack
vectors based on RS, NS, NA, and Redirect messages.

The I-D is available at:
<http://tools.ietf.org/id/draft-gont-opsec-ipv6-nd-shield-00.txt>

For this version in particular, I'm mostly interested in hearing your
thoughts about the issues raised in the "DISCLAIMER" section -- although
detailed feedback is always welcome.

Thanks!

Best regards,
Fernando




-------- Original Message --------
Subject: New Version Notification for draft-gont-opsec-ipv6-nd-shield-00.txt
Date: Tue, 05 Jun 2012 06:05:24 -0700
From: internet-drafts at ietf.org
To: fgont at si6networks.com

A new version of I-D, draft-gont-opsec-ipv6-nd-shield-00.txt has been
successfully submitted by Fernando Gont and posted to the IETF repository.

Filename:	 draft-gont-opsec-ipv6-nd-shield
Revision:	 00
Title:		 Neighbor Discovery Shield (ND-Shield): Protecting against
Neighbor Discovery Attacks
Creation date:	 2012-06-05
WG ID:		 Individual Submission
Number of pages: 22

Abstract:
   This document specifies a mechanism that can be implemented in
   layer-2 devices to mitigate attack vectors based on Neighbor
   Discovery messages.  It is meant to complement other mechanisms
   implemented in layer-2 devices such as Router Advertisement Guard
   (RA-Guard) and DHCPv6-Shield, with the goal of achieving a
   comprehensive IPv6 First Hop Security solution.  This document is
   motivated by the desire to achieve feature parity with IPv4 with
   respect to First Hop Security mechanisms.





The IETF Secretariat